In a communications system, a campus network generally refers to a network of a campus or an intranet of an enterprise, and a main feature of the campus network is that a router, a network switch, and the like disposed on the campus network are managed by a management organization (for example, an owner of the campus network).
As shown in FIG. 1, in a network architecture of a campus network, the campus network includes at least one user terminal and at least one network switch. Generally, a network switch that is located on a user terminal side and is directly connected to a user terminal may be called an access switch or an access switching node. Generally, a network switch that is located on a network side and is connected to an access switching node may be called an aggregation switch or an aggregation switching node. Each interface on an access switching node may not be connected to any user terminal, or may be connected to at least one user terminal. If a user terminal is connected to an access switching node, the user terminal may be connected to the access switching node in a wired manner. An interface on the other side of the access switching node is connected to an aggregation switching node, to implement packet transmission. In the network architecture of the campus network shown in FIG. 1, after a user terminal is successfully connected to an access switching node in a wired manner, authentication needs to be implemented before packet transmission to check whether the user terminal is allowed to access the campus network for packet transmission. The user terminal can send a packet to the access switching node only when the user terminal is allowed to access the campus network for packet transmission. Generally, there are two manners of implementing authentication to check whether a user terminal is allowed to access a campus network for packet transmission, to control whether the user terminal can access the campus network for packet transmission.
In a first manner, an access switching node implements authentication to check whether a user terminal is allowed to access a campus network for packet transmission. That is, the access switching node implements authentication on access of the user terminal, and determines, according to an authentication result, whether the user terminal is allowed to access the campus network for packet transmission. The network architecture of the campus network shown in FIG. 1 is used as an example, where a user terminal 1 and a user terminal 2 are connected to an access switching node 1 in a wired manner, a user terminal 3 is connected to an access switching node 2 in a wired manner, and both the access switching node 1 and the access switching node 2 are connected to an aggregation switching node. In implementation, the access switching node 1 implements authentication to check whether the user terminal 1 and the user terminal 2 are allowed to access the campus network, and the access switching node 2 implements authentication to check whether the user terminal 3 is allowed to access the campus network. The user terminal 1, the user terminal 2, or the user terminal 3 can access the network for packet transmission only when the authentication succeeds. When the first manner is used, each access switching node in a system needs to implement access authentication on a user terminal connected to the access switching node. However, generally, because there are many access switching nodes in the system, complexity of the network architecture used in the first manner is relatively high.
In a second manner, an aggregation switching node implements authentication on access of a user terminal. In the system architecture shown in FIG. 1, the aggregation switching node implements authentication on any user terminal in the system that is connected to an access switching node. If the authentication succeeds, the aggregation switching node allows all user terminals that are connected to the access switching node to access the network. That is, in this manner, after the access authentication implemented by the aggregation switching node on any user terminal connected to the access switching node succeeds, another user terminal connected to the access switching node does not require access authentication but is directly connected to the network for packet transmission using the access switching node. When the second manner is used, control over a single user terminal cannot be implemented, and security is poor.
In conclusion, an implementation manner of a common method for controlling access of a user terminal is relatively complex or security is relatively poor.